Threat Intel Concepts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about threat intelligence management (TIM) indicators.

Indicators are artifacts associated with alerts and are an essential part of the alert management and remediation process.

Fetch indicators

Cortex XSIAM includes integrations that fetch indicators from either a vendor-specific source, such as AutoFocus, or from a generic source, such as a CSV or JSON file.

Common indicator data model

When indicators are ingested, regardless of their source, they have a unified, common set of indicator fields, including traffic light protocol (TLP), expiration, verdict, and tags.

Indicator smart merge

The same indicator can originate from multiple sources and be enriched with multiple methods (integrations, scripts, playbooks, and so on). Cortex XSIAM implements a smart merge logic to make sure indicators are accurately scored (verdict) and aggregated.

Indicator timeline

The indicator timeline is in table format and displays an indicator’s complete history, including the first seen and last seen timestamp, changes made to indicator fields, and more.

Indicator expiration

When ingesting and processing millions of indicators on a daily basis, it’s important to control whether or not they are active or expired and to define how and when indicators are expired.Cortex XSIAM offers multiple options to set indicator expiration.

Export indicators

You can export indicators as a hosted list, an EDL, or a TAXII collection. This enables your SIEM or firewall to ingest or pull the indicator list to update policy rules. The supported list file types are JSON, CSV, and TXT.

Exclusion list

Indicators added to the exclusion list are disregarded by the system and are not created or involved in automated flows such as indicator extraction.